2317833 – [8.0] Internal urls are accessible with mgmt-gateway enabled

Bug 2317833 - [8.0] Internal urls are accessible with mgmt-gateway enabled

Summary: [8.0] Internal urls are accessible with mgmt-gateway enabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	Ceph-Dashboard
Sub Component:
Version:	8.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	8.0
Assignee:	Redouane Kachach Elhichou
QA Contact:	Vinayak Papnoi
Docs Contact:	Anjana Suparna Sriram
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-10-10 13:11 UTC by Vinayak Papnoi
Modified:	2024-11-25 09:13 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ceph-19.2.0-20.el9cp
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-11-25 09:13:07 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	ceph ceph pull 60028	None	Merged	mgr/cephadm: adding config to enforce clients cert check for internal nginx (mTLS)	2024-10-14 10:04:39 UTC
Red Hat Issue Tracker	RHCEPH-9997	None	None	None	2024-10-10 13:13:59 UTC
Red Hat Issue Tracker	RHCSDASH-1687	None	None	None	2024-10-10 13:14:04 UTC
Red Hat Product Errata	RHBA-2024:10216	None	None	None	2024-11-25 09:13:09 UTC

Description Vinayak Papnoi 2024-10-10 13:11:31 UTC

Description of problem:

With mgmt-gateway enabled, the internal URLs for prometheus or alertmanager are accessible when entered manually. This is a security breach as only the external URLs must be accessible with mgmt-gateway enabled.


Version-Release number of selected component (if applicable):

19.2.0-12.el9cp

How reproducible:

1/1

Steps to Reproduce:
1. Deploy a ceph 8.0 cluster
2. Deploy mgmt-gateway service using below command 
# ceph orch apply mgmt-gateway
3. Access the dashboard using the ip address (without port number)
4. Access the external URL for prometheus/alertmanager
eg. https://<ip>/prometheus/graph?g0.expr=&g0.tab=1&g0.stacked=0&g0.show_exemplars=0&g0.range_input=1h
5. Edit the URL to make it the internal URL
eg. https://<ip>:29443/internal/prometheus/graph?g0.expr=&g0.tab=1&g0.stacked=0&g0.show_exemplars=0&g0.range_input=1h


Actual results:

Internal URl is accessible

Expected results:

Internal URL must not be accessible

Additional info:

Comment 7 errata-xmlrpc 2024-11-25 09:13:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 8.0 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2024:10216

Note You need to log in before you can comment on or make changes to this bug.